Thursday, 2016-02-11

« Wednesday, 2016-02-10 Index Friday, 2016-02-12 »
*** spzala has quit IRC00:00
*** crinkle has quit IRC00:03
*** crinkle_ has joined #openstack-keystone00:03
*** crinkle_ is now known as crinkle00:04
openstackgerritLance Bragstad proposed openstack/keystone: Remove support for trust scoped tokens in v2.0  https://review.openstack.org/27880200:05
lbragstadayoung ^00:05
lbragstadayoung there is one test case there that is failing that I can't figure out00:05
lbragstadsomething to do with token persistence00:05
*** mylu has joined #openstack-keystone00:05
*** nekrodesk has quit IRC00:11
dstaneklbragstad: you still working?00:13
dstanekbigjools: are you thinking version discovery?00:14
bigjoolsdstanek: it's in direct contradiction to http://dolphm.com/openstack-keystone-service-catalog/00:15
bigjoolsand yes, discovery00:15
dstanekyou may want to ask the devstack folks00:15
bigjoolssure, just wanted to get you guys opinion on it00:17
openstackgerritBrant Knudson proposed openstack/keystone: Convert policy to yaml  https://review.openstack.org/27854200:20
*** mylu has quit IRC00:26
*** jsavak has quit IRC00:28
*** mylu has joined #openstack-keystone00:29
*** nekrodesk has joined #openstack-keystone00:32
*** Dave_____ is now known as Dave00:34
jamielennoxbigjools: there shouldn't be a v3 version in the catalog00:34
bigjoolsjamielennox: right, thanks. just wondered if devstack was special.00:34
*** slberger has left #openstack-keystone00:34
*** mylu has quit IRC00:40
*** mylu has joined #openstack-keystone00:40
*** aginwala has quit IRC00:42
openstackgerritHenrique Truta proposed openstack/keystone: Manager support for project cascade delete  https://review.openstack.org/24414900:43
openstackgerritJamie Lennox proposed openstack/keystoneauth: Allow parameter expansion in endpoint_override  https://review.openstack.org/27112000:43
*** aginwala has joined #openstack-keystone00:45
*** mylu has quit IRC00:46
*** aginwala has quit IRC00:46
*** aginwala has joined #openstack-keystone00:46
*** mylu has joined #openstack-keystone00:47
*** mylu has quit IRC00:49
*** mylu has joined #openstack-keystone00:49
openstackgerritTin Lam proposed openstack/keystone: Removing H405 violations from keystone  https://review.openstack.org/27819000:50
*** mylu has quit IRC00:52
*** mylu has joined #openstack-keystone00:55
*** spzala has joined #openstack-keystone00:55
*** mylu has quit IRC00:59
*** spzala has quit IRC01:00
*** mylu has joined #openstack-keystone01:01
*** mylu has quit IRC01:03
*** mylu has joined #openstack-keystone01:06
*** mylu has quit IRC01:08
*** mylu has joined #openstack-keystone01:08
*** aginwala has quit IRC01:13
*** mylu has quit IRC01:13
*** jbell8 has quit IRC01:15
*** mylu has joined #openstack-keystone01:15
zigostevemar: I'm around now.01:16
zigoAre you still up?01:16
*** harlowja has quit IRC01:18
*** mylu has quit IRC01:18
*** chlong has joined #openstack-keystone01:18
*** aginwala has joined #openstack-keystone01:20
*** spandhe has quit IRC01:21
*** _cjones_ has quit IRC01:24
openstackgerritMerged openstack/keystoneauth: Updated from global requirements  https://review.openstack.org/27867701:28
*** jasondotstar has quit IRC01:35
*** raginbajin has quit IRC01:35
*** aginwala has quit IRC01:35
*** jasonsb has joined #openstack-keystone01:35
*** dims_ has joined #openstack-keystone01:37
*** jasondotstar has joined #openstack-keystone01:37
*** raginbajin has joined #openstack-keystone01:37
*** dims has quit IRC01:38
*** dims_ has quit IRC01:41
*** gildub has quit IRC01:41
*** alex_xu has quit IRC01:43
*** lhcheng has quit IRC01:44
*** alex_xu has joined #openstack-keystone01:45
*** gyee has quit IRC01:48
*** dims has joined #openstack-keystone01:49
openstackgerritAnu G Enchackal proposed openstack/keystone: test commit  https://review.openstack.org/27882601:50
*** mylu has joined #openstack-keystone01:51
*** mylu has quit IRC01:54
*** spzala has joined #openstack-keystone01:58
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Split oslo_config and list all opts  https://review.openstack.org/26727702:02
*** spzala has quit IRC02:02
*** lhcheng has joined #openstack-keystone02:03
*** ChanServ sets mode: +v lhcheng02:03
*** edmondsw has quit IRC02:03
*** lhcheng has quit IRC02:03
*** browne has quit IRC02:07
*** alex_xu has quit IRC02:08
*** alex_xu has joined #openstack-keystone02:10
*** jasonsb has quit IRC02:10
*** daemontool has quit IRC02:11
*** jasonsb has joined #openstack-keystone02:13
*** jasonsb has quit IRC02:14
*** clenimar_ has joined #openstack-keystone02:14
dolphmbigjools: ideally, devstack would use unversioned endpoints, but the reality is that we have an ecosystem of existing clients that don't *all* support api version discovery *well*, so the catalog reflects the lowest common denominator. any step we can make towards smarter clients is a step towards unversioned endpoints.02:14
bigjoolsgotcha02:15
*** openstackgerrit has quit IRC02:15
dolphmbigjools: so it's not simply a matter of changing the endpoints that are created in devstack :( although that's a great way to find what breaks ;)02:15
*** chlong has quit IRC02:15
bigjoolsyeah, I'm doing precisely that right now, I see breakage :)02:16
*** clenimar_ has quit IRC02:16
jamielennoxdolphm: sure, but the fact that they've got /v3 endpoints in the catalog means that it should have broken already if there was something relying on that02:18
dolphmjamielennox: i'm not *just* talking about keystone, and i'm not *just* talking about the latest version of every client02:19
dolphmbigjools: jamielennox: for bonus points, make tempest work with unversioned URLs in the [identity] url and url_v3 config options, and let it work with unversioned URLs in the actual catalog02:21
dolphmotherwise, defcore effectively asserts that everyone use versioned URLs02:21
jamielennoxdolphm: agree on nova and others, however for devstack its almost by definition the latest version so i think it's ok to do the newest thing there02:21
*** spzala has joined #openstack-keystone02:21
*** daemontool has joined #openstack-keystone02:23
*** openstackgerrit has joined #openstack-keystone02:23
*** chlong has joined #openstack-keystone02:29
*** spzala has quit IRC02:29
openstackgerritHenrique Truta proposed openstack/keystone: Manager support for project cascade delete  https://review.openstack.org/24414902:31
*** nekrodesk has quit IRC02:31
*** jbell8 has joined #openstack-keystone02:32
*** jbell8 has quit IRC02:39
*** lhcheng has joined #openstack-keystone02:45
*** ChanServ sets mode: +v lhcheng02:45
*** su_zhang has quit IRC02:45
openstackgerritMerged openstack/python-keystoneclient: Updated from global requirements  https://review.openstack.org/27872802:46
*** csoukup_ has joined #openstack-keystone02:46
*** woodster_ has quit IRC02:46
openstackgerritMerged openstack/keystonemiddleware: Updated from global requirements  https://review.openstack.org/27867802:47
*** csoukup_ has quit IRC02:50
*** lhcheng_ has joined #openstack-keystone02:53
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file  https://review.openstack.org/26947902:54
*** lhcheng has quit IRC02:56
*** roxanaghe has quit IRC02:58
*** lhcheng has joined #openstack-keystone02:58
*** ChanServ sets mode: +v lhcheng02:58
*** dikonoor has joined #openstack-keystone03:00
*** lhcheng_ has quit IRC03:01
*** browne has joined #openstack-keystone03:06
*** mylu has joined #openstack-keystone03:06
*** daemontool has quit IRC03:08
*** links has joined #openstack-keystone03:10
*** spandhe has joined #openstack-keystone03:11
*** spandhe_ has joined #openstack-keystone03:13
dstanekyay, here comes all the things!03:13
*** bill_az_ has quit IRC03:15
*** spandhe has quit IRC03:15
*** spandhe_ is now known as spandhe03:15
*** fawadkhaliq has joined #openstack-keystone03:16
*** spandhe has quit IRC03:20
*** spandhe has joined #openstack-keystone03:20
*** mylu has quit IRC03:34
*** mylu has joined #openstack-keystone03:35
openstackgerritMerged openstack/keystone: Remove support for trusts in v2.0  https://review.openstack.org/27485003:39
openstackgerritMerged openstack/keystone: Consolidate the fernet provider validate_v2_token()  https://review.openstack.org/27485103:39
openstackgerritMerged openstack/keystone: Added CORS support to Keystone  https://review.openstack.org/24131703:39
openstackgerritMerged openstack/keystone: Make fernet work with oauth1 authentication  https://review.openstack.org/26778103:39
*** lhcheng has quit IRC03:42
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file  https://review.openstack.org/26947903:43
*** su_zhang has joined #openstack-keystone03:43
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file  https://review.openstack.org/26947903:44
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file  https://review.openstack.org/26947903:45
*** roxanaghe has joined #openstack-keystone03:46
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file  https://review.openstack.org/26947903:47
*** roxanaghe has quit IRC03:47
*** nekrodesk has joined #openstack-keystone03:48
*** jasonsb has joined #openstack-keystone03:52
*** ptoohill has left #openstack-keystone03:52
stevemardstanek: ALL THE THINGS MERGED!03:56
*** aginwala has joined #openstack-keystone04:04
*** lhcheng has joined #openstack-keystone04:07
*** ChanServ sets mode: +v lhcheng04:07
*** tsymanczyk has joined #openstack-keystone04:13
*** Guest52385 has quit IRC04:13
*** tsymanczyk is now known as Guest1912004:13
*** boris-42 has quit IRC04:14
*** woodster_ has joined #openstack-keystone04:23
*** Nirupama has joined #openstack-keystone04:25
*** diazjf has joined #openstack-keystone04:28
*** jgriffith is now known as jgriffith_away04:31
*** mylu has quit IRC04:34
*** aginwala has quit IRC04:34
*** mylu has joined #openstack-keystone04:38
*** dims has quit IRC04:43
*** fawadkhaliq has quit IRC04:46
*** roxanaghe has joined #openstack-keystone04:48
ayoungWow04:51
ayoung such merge.  Very Gate04:51
*** roxanaghe has quit IRC04:52
openstackgerritayoung proposed openstack/keystone-specs: Service Catalog Subsets by ID  https://review.openstack.org/16090904:57
openstackgerritayoung proposed openstack/keystone: Make fernet default token provider  https://review.openstack.org/25865004:57
openstackgerritSteve Martinelli proposed openstack/keystone: Remove PostParams middleware  https://review.openstack.org/27766404:58
stevemarayoung: ^ easyyyy patch05:02
*** markvoelker has quit IRC05:03
*** clenimar_ has joined #openstack-keystone05:04
*** clenimar_ has quit IRC05:04
*** jamielennox is now known as jamielennox|away05:06
openstackgerritMerged openstack/keystonemiddleware: Make pep8 *the* linting interface  https://review.openstack.org/27859905:06
openstackgerritSteve Martinelli proposed openstack/keystone: Deprecate admin_token_auth  https://review.openstack.org/27544305:07
*** aginwala has joined #openstack-keystone05:08
*** fawadkhaliq has joined #openstack-keystone05:11
*** aginwala has quit IRC05:12
openstackgerritMerged openstack/python-keystoneclient: Make pep8 *the* linting interface  https://review.openstack.org/27860205:14
*** dave-mcc_ has quit IRC05:15
openstackgerritMerged openstack/keystone: Added tokenless auth headers to CORS middleware  https://review.openstack.org/27858005:18
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file  https://review.openstack.org/26947905:20
openstackgerritSteve Martinelli proposed openstack/keystone: Followup for LDAP removal  https://review.openstack.org/27719605:21
*** jgriffith_away is now known as jgriffith05:21
*** mylu has quit IRC05:24
*** mylu has joined #openstack-keystone05:27
*** jamielennox|away is now known as jamielennox05:31
*** roxanaghe has joined #openstack-keystone05:49
*** roxanaghe has quit IRC05:52
*** roxanaghe has joined #openstack-keystone05:52
*** vgridnev has joined #openstack-keystone05:58
*** dikonoor has quit IRC05:59
*** markvoelker has joined #openstack-keystone06:04
*** wasmum has quit IRC06:05
*** jaosorior has joined #openstack-keystone06:10
*** dan_nguyen has quit IRC06:18
stevemarjamielennox: poke06:19
jamielennoxstevemar: sup06:19
stevemarjamielennox: punt this one through? https://review.openstack.org/#/c/277664/06:19
stevemarjamielennox: it's not used anywhere...06:20
jamielennoxstevemar: weird, done06:20
stevemarthanks sir06:21
*** spandhe has quit IRC06:32
*** markvoelker has quit IRC06:34
openstackgerritMerged openstack/keystone: Make pep8 *the* linting interface  https://review.openstack.org/27859106:36
*** woodster_ has quit IRC06:36
openstackgerritMerged openstack/keystone: Updated from global requirements  https://review.openstack.org/27867606:36
openstackgerritMerged openstack/keystone: Moves policy setup into a fixture.  https://review.openstack.org/27852806:37
openstackgerritSteve Martinelli proposed openstack/keystone: Fix release note of removal of v2.0 trusts support  https://review.openstack.org/27864706:39
openstackgerritSteve Martinelli proposed openstack/keystone: Stop using nose as a Python3 test runner  https://review.openstack.org/27805406:40
openstackgerritSteve Martinelli proposed openstack/keystone: Enables token_data_helper tests for Python3  https://review.openstack.org/27805506:40
*** lhcheng has quit IRC06:42
*** vgridnev has quit IRC06:43
*** henrynash has joined #openstack-keystone06:47
*** ChanServ sets mode: +v henrynash06:47
*** vgridnev has joined #openstack-keystone06:55
*** jaosorior has quit IRC06:56
openstackgerrithenry-nash proposed openstack/keystone: Change get_project permission  https://review.openstack.org/27005706:59
*** aginwala has joined #openstack-keystone07:02
*** vgridnev has quit IRC07:10
*** vgridnev has joined #openstack-keystone07:18
*** jaosorior has joined #openstack-keystone07:20
openstackgerritSteve Martinelli proposed openstack/keystone: Remove eventlet support  https://review.openstack.org/24948607:28
openstackgerritMerged openstack/keystone: Deprecate Saml2 auth plugin  https://review.openstack.org/27543807:29
openstackgerritSteve Martinelli proposed openstack/keystone: Remove eventlet support  https://review.openstack.org/24948607:29
openstackgerritMerged openstack/keystone: Add backend support for deleting a projects list  https://review.openstack.org/24591607:30
*** rudolfvriend has joined #openstack-keystone07:32
*** jaosorior has quit IRC07:32
*** fhubik has joined #openstack-keystone07:36
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements  https://review.openstack.org/27890107:40
openstackgerritOpenStack Proposal Bot proposed openstack/keystoneauth: Updated from global requirements  https://review.openstack.org/27890207:40
openstackgerritOpenStack Proposal Bot proposed openstack/keystonemiddleware: Updated from global requirements  https://review.openstack.org/27890307:40
*** diazjf has quit IRC07:42
*** spandhe has joined #openstack-keystone07:42
openstackgerritOpenStack Proposal Bot proposed openstack/python-keystoneclient: Updated from global requirements  https://review.openstack.org/27890707:44
*** spandhe_ has joined #openstack-keystone07:45
*** spandhe has quit IRC07:47
*** spandhe_ is now known as spandhe07:47
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file  https://review.openstack.org/26947907:52
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file  https://review.openstack.org/26947907:53
*** richm has joined #openstack-keystone07:55
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file  https://review.openstack.org/26947907:55
*** fhubik has quit IRC07:57
openstackgerritSteve Martinelli proposed openstack/keystone: Deprecate admin_token_auth  https://review.openstack.org/27544307:58
openstackgerritSteve Martinelli proposed openstack/keystone: Followup for LDAP removal  https://review.openstack.org/27719607:59
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file  https://review.openstack.org/26947907:59
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file  https://review.openstack.org/26947908:00
*** jaosorior has joined #openstack-keystone08:05
openstackgerritMerged openstack/keystone: Remove PostParams middleware  https://review.openstack.org/27766408:05
*** vgridnev has quit IRC08:06
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file  https://review.openstack.org/26947908:08
*** aginwala_ has joined #openstack-keystone08:09
*** sinese_ has joined #openstack-keystone08:10
*** aginwala has quit IRC08:11
*** mylu has quit IRC08:12
*** spandhe_ has joined #openstack-keystone08:26
*** jed56 has joined #openstack-keystone08:26
*** spandhe has quit IRC08:28
*** spandhe_ is now known as spandhe08:28
*** henrynash has quit IRC08:31
*** su_zhang has quit IRC08:34
*** sinese_ has quit IRC08:34
*** su_zhang has joined #openstack-keystone08:35
*** rcernin has joined #openstack-keystone08:35
*** browne has quit IRC08:38
*** su_zhang has quit IRC08:39
*** e0ne has joined #openstack-keystone08:42
*** aginwala_ has quit IRC08:43
*** mylu has joined #openstack-keystone08:43
*** pnavarro has joined #openstack-keystone08:43
*** aginwala has joined #openstack-keystone08:44
*** openstackgerrit has quit IRC08:47
*** openstackgerrit_ has joined #openstack-keystone08:47
*** mhickey has joined #openstack-keystone08:47
*** mylu has quit IRC08:47
*** openstackgerrit_ is now known as openstackgerrit08:48
*** aginwala has quit IRC08:49
*** alex_xu_ has joined #openstack-keystone08:49
*** alex_xu has quit IRC08:52
*** roxanaghe has quit IRC08:57
*** fawadkhaliq has quit IRC08:59
*** fhubik has joined #openstack-keystone09:00
*** fhubik is now known as fhubik_brb09:00
*** fhubik_brb is now known as fhubik09:05
*** mylu has joined #openstack-keystone09:13
*** fhubik is now known as fhubik_brb09:13
*** spandhe has quit IRC09:14
*** mylu has quit IRC09:18
*** _cjones_ has joined #openstack-keystone09:18
*** fhubik_brb is now known as fhubik09:18
*** _cjones_ has quit IRC09:25
*** vgridnev has joined #openstack-keystone09:25
*** _cjones_ has joined #openstack-keystone09:25
*** mvk has joined #openstack-keystone09:27
*** markvoelker has joined #openstack-keystone09:31
*** alexpro has quit IRC09:33
openstackgerritMerged openstack/keystonemiddleware: Updated from global requirements  https://review.openstack.org/27890309:33
*** markvoelker has quit IRC09:36
*** gildub has joined #openstack-keystone09:38
*** gildub has quit IRC09:45
*** _cjones_ has quit IRC09:46
openstackgerritMerged openstack/keystoneauth: Updated from global requirements  https://review.openstack.org/27890209:46
rudolfvriendgood morning keystone crowd ;) a maybe dumb question from a contributor newbie: how do I indicate best that I’m ‚done‘ with a commit and the review can proceed?  https://review.openstack.org/#/c/276873/09:57
*** roxanaghe has joined #openstack-keystone09:58
*** gildub has joined #openstack-keystone10:02
*** roxanaghe has quit IRC10:02
*** spandhe has joined #openstack-keystone10:02
*** nekrodesk has quit IRC10:02
*** vgridnev has quit IRC10:03
*** vgridnev has joined #openstack-keystone10:08
*** vgridnev has quit IRC10:09
*** vgridnev has joined #openstack-keystone10:11
*** vgridnev has quit IRC10:12
*** vgridnev has joined #openstack-keystone10:12
*** vgridnev has quit IRC10:13
*** mylu has joined #openstack-keystone10:14
*** vgridnev has joined #openstack-keystone10:15
*** mylu has quit IRC10:19
*** gildub has quit IRC10:21
*** gildub has joined #openstack-keystone10:22
marekdrudolfvriend: welcome!10:25
marekdrudolfvriend: first of all I doubt anybody will be doing serious reviews if the automatic jenkins tests are not passing10:26
marekdso make sure they do10:26
marekdand even if they still pass and you are not ready for a review  you can still upload your code and later hit a button "Reply" and set "Workflow" to -110:27
marekdwhich will be a clear indication for the reviewers that the patch is still "work in progress"10:27
rudolfvrienddoes that mean when everything is ‚green‘ (tests) and workflow is not -1 that the review will be picked up again?10:32
*** vgridnev has quit IRC10:34
marekdrudolfvriend: what do you mean 'picked up' ?10:39
marekdif workflow is not set to -1 and tests passes this means that somebody doing reviews will be likely to take a look. It's pointless to review something that even doesn't pass unit tests :-)10:40
*** vgridnev has joined #openstack-keystone10:42
*** vgridnev has quit IRC10:45
*** vgridnev has joined #openstack-keystone10:46
*** jbell8 has joined #openstack-keystone10:48
*** dims has joined #openstack-keystone10:48
rudolfvriendok. understood: I do not need to do anything else besides making sure the tests pass and worklow is not set to -1..  thanks.10:52
marekdrudolfvriend: well, you can also ask some cores (and non-cores) to review the patch. But, try to be gentle in that matter :-)10:54
marekdbut i seee you added some reviewers in the patch10:54
*** mvk has quit IRC10:54
*** roxanaghe has joined #openstack-keystone10:59
*** roxanaghe has quit IRC11:03
openstackgerritMerged openstack/keystone: Fix release note of removal of v2.0 trusts support  https://review.openstack.org/27864711:13
openstackgerritMerged openstack/keystone: Updated from global requirements  https://review.openstack.org/27890111:15
*** fawadkhaliq has joined #openstack-keystone11:16
*** daemontool has joined #openstack-keystone11:21
*** mvk has joined #openstack-keystone11:26
*** jbell8 has quit IRC11:28
*** jbell8 has joined #openstack-keystone11:29
*** markvoelker has joined #openstack-keystone11:32
*** fhubik is now known as fhubik_brb11:33
openstackgerritDavanum Srinivas (dims) proposed openstack/keystone: [WIP] Trying py27/34 with oslo-master  https://review.openstack.org/27764811:33
*** fhubik_brb is now known as fhubik11:34
*** markvoelker has quit IRC11:37
*** fhubik is now known as fhubik_brb11:41
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file  https://review.openstack.org/26947911:41
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file  https://review.openstack.org/26947911:44
samueldmqbknudson_: stevemar: besides project-team-guide patch on docs (264398)11:45
samueldmqbknudson_: stevemar: our corresponding keystone docs patch needs love (246400)11:45
*** vgridnev has quit IRC11:56
*** vgridnev has joined #openstack-keystone11:56
*** pnavarro has quit IRC12:03
*** peter-hamilton has joined #openstack-keystone12:07
*** spandhe has quit IRC12:08
openstackgerritHenrique Truta proposed openstack/keystone: Add is_domain filter to v3 list_projects  https://review.openstack.org/15839812:09
openstackgerritHenrique Truta proposed openstack/keystone: Allow project domain_id to be nullable at the manager level  https://review.openstack.org/26453312:09
openstackgerritHenrique Truta proposed openstack/keystone: Add tests in preparation of projects acting as a domain  https://review.openstack.org/27236912:09
openstackgerritHenrique Truta proposed openstack/keystone: Verify project unique constraints for projects acting as domains  https://review.openstack.org/15837212:09
*** ig0r_ has joined #openstack-keystone12:12
*** mylu has joined #openstack-keystone12:14
*** gildub has quit IRC12:14
*** mylu has quit IRC12:18
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Change get_project permission  https://review.openstack.org/27005712:23
*** jbell8 has quit IRC12:24
*** doug-fish has joined #openstack-keystone12:29
samueldmqdstanek: hi12:30
samueldmqdstanek: I'd like to your view on this (https://review.openstack.org/#/c/244149/24/keystone/resource/core.py)12:32
samueldmqdstanek: I don't like the way it is, but maybe I am just being too hard12:33
*** markvoelker has joined #openstack-keystone12:33
*** markvoelker has quit IRC12:37
*** daemontool has quit IRC12:39
*** fhubik_brb is now known as fhubik12:39
*** daemontool has joined #openstack-keystone12:39
*** dims has quit IRC12:40
rodrigodssamueldmq, ^ agree with you about the log12:41
rodrigodshtruta, ^12:42
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Fix nits from domain specific roles CRUD support  https://review.openstack.org/27902912:44
samueldmqrodrigods: thanks for looking at it12:44
samueldmqstevemar: ayoung: ^ adressed nits left on domain specific roles CRUD ^12:45
*** pnavarro has joined #openstack-keystone12:49
*** daemontool_ has joined #openstack-keystone12:49
*** daemontool__ has joined #openstack-keystone12:49
*** daemontool has quit IRC12:51
htrutarodrigods, samueldmq, I agree that the HTTP method is enough. But how will it appear on that specific message?12:51
rodrigodshtruta, when you try to perform the action, the message is displayed right? so you know the method you've called. if you are debugging for someone else, the endpoint called is displayed in the logs prior to the actual error message12:53
*** raildo-afk is now known as raildo12:53
*** daemontool_ has quit IRC12:54
htrutarodrigods: right. I just intend to have it in the same message as the error. If you, for example, use a tool to parse logs, like a logstash and only filters the ERROR ones, you wouldn't easily know that12:54
dstaneksamueldmq: i agree, that seems odd. instead of asserting maybe that needs to return a boolean and leave the messaging to the caller12:55
rodrigodshtruta, ^ makes more sense12:55
samueldmqdstanek: ++ that's a good alternative12:55
rodrigodshtruta, filtering doesn't apply for this scenario actually... you can't debug the forbidden error without knowing what you are looking for12:57
samueldmq++12:57
htrutarodrigods, samueldmq: I disagree with the filtering, but I liked dstanek's suggestion. Guess that'll make everybody happy12:58
*** su_zhang has joined #openstack-keystone12:59
*** roxanaghe has joined #openstack-keystone13:00
*** su_zhang has quit IRC13:03
openstackgerritMarek Denis proposed openstack/keystone: Create V9 version of catalog driver interface  https://review.openstack.org/26945513:04
openstackgerritMarek Denis proposed openstack/keystone: Service Providers and Projects associations  https://review.openstack.org/26485413:04
*** roxanaghe has quit IRC13:05
*** pauloewerton has joined #openstack-keystone13:08
openstackgerritMarek Denis proposed openstack/keystone: Service Providers Group CRUD operations.  https://review.openstack.org/27343813:09
*** nekrodesk has joined #openstack-keystone13:11
*** nekrodesk has quit IRC13:11
*** jsavak has joined #openstack-keystone13:12
*** mylu has joined #openstack-keystone13:14
*** nekrodesk has joined #openstack-keystone13:16
*** nekrodesk has quit IRC13:16
*** esp has joined #openstack-keystone13:17
*** nekrodesk has joined #openstack-keystone13:18
*** nekrodesk has quit IRC13:18
*** mylu has quit IRC13:19
*** dims has joined #openstack-keystone13:20
*** nekrodesk has joined #openstack-keystone13:20
*** nekrodesk has quit IRC13:20
openstackgerritMarek Denis proposed openstack/keystone: Service providers groups associations  https://review.openstack.org/27563613:20
*** nekrodesk has joined #openstack-keystone13:22
*** nekrodesk has quit IRC13:22
*** Guest57497 is now known as zeus13:22
*** zeus has joined #openstack-keystone13:22
*** daemontool__ has quit IRC13:23
*** markvoelker has joined #openstack-keystone13:23
*** esp has quit IRC13:23
*** nekrodesk has joined #openstack-keystone13:26
*** nekrodesk has quit IRC13:26
*** nekrodesk has joined #openstack-keystone13:30
*** nekrodesk has quit IRC13:30
*** nekrodesk has joined #openstack-keystone13:33
*** woodster_ has joined #openstack-keystone13:33
*** daemontool__ has joined #openstack-keystone13:35
*** edmondsw has joined #openstack-keystone13:38
*** daemontool_ has joined #openstack-keystone13:42
*** Nirupama has quit IRC13:43
openstackgerritHenrique Truta proposed openstack/keystone: Manager support for project cascade delete  https://review.openstack.org/24414913:44
htrutasamueldmq, rodrigods, dstanek take a look now13:44
openstackgerritHenrique Truta proposed openstack/keystone: Manager support for project cascade delete  https://review.openstack.org/24414913:45
*** daemontool__ has quit IRC13:46
*** links has quit IRC13:48
*** ninag has joined #openstack-keystone13:55
*** daemontool_ is now known as daemontool13:56
*** fhubik is now known as fhubik_brb13:57
*** edmondsw has quit IRC13:59
*** dancn has joined #openstack-keystone14:01
*** roxanaghe has joined #openstack-keystone14:01
*** richm has quit IRC14:03
*** jaosorior has quit IRC14:05
*** jaosorior has joined #openstack-keystone14:05
*** roxanaghe has quit IRC14:06
openstackgerritHenrique Truta proposed openstack/keystone: Manager support for project cascade delete  https://review.openstack.org/24414914:07
*** dave-mccowan has joined #openstack-keystone14:08
*** dave-mcc_ has joined #openstack-keystone14:11
*** dave-mccowan has quit IRC14:14
*** krotscheck_dcm is now known as krotscheck14:15
tjcocozzhtruta, ping14:17
htrutatjcocozz: hi14:17
tjcocozzhtruta, can you explain what L330 does in https://review.openstack.org/#/c/243585/12/keystone/resource/controllers.py14:17
tjcocozzhtruta, this method https://github.com/openstack/keystone/blob/2702645af1ad2c390948c947b27824b7a12a34e9/keystone/common/controller.py#L78714:18
*** richm has joined #openstack-keystone14:18
htrutatjcocozz: it enforces the policy rule, to see if the user has permission to that. Is that correct, raildo ?14:18
tjcocozzhtruta, i thought that is what the method _check_projects_list does.14:19
tjcocozzhtruta, in resource/controllers.py ^_^14:20
*** spzala has joined #openstack-keystone14:21
raildotjcocozz: the _check_projects_list check for the role access on the subtree, in other words, if the user have a assignment in the subtree14:22
raildotjcocozz: but we have to verify if the specific role can perform the update_project action14:22
raildotjcocozz: so, we made a check_protection for every project on the subtree14:23
tjcocozzraildo, thank you.  you cleared it up.14:23
*** su_zhang has joined #openstack-keystone14:23
raildotjcocozz: np14:23
tjcocozzraildo, htruta  that makes sense.  i new i was missing something14:23
raildotjcocozz: we made on this way, because we can reuse the _check_projects_list on the delete project :)14:27
*** links has joined #openstack-keystone14:28
raildotjcocozz: and just change the check_protection to verify the delete_project action14:28
tjcocozzraildo, cool! that works for me.  Almost done reviewing it now. i just want to pull it down and test some things14:29
raildotjcocozz: great :)14:30
ayoungsamueldmq, +2.  make sure you add reviewers to those.  I added Henry.14:41
ayoungsamueldmq, put this one to bet, please: https://review.openstack.org/#/c/158398/5214:44
*** fhubik_brb is now known as fhubik14:47
*** fhubik is now known as fhubik_brb14:57
*** roxanaghe has joined #openstack-keystone15:02
*** jaosorior has quit IRC15:06
*** nekrodesk has quit IRC15:06
*** roxanaghe has quit IRC15:06
*** fhubik_brb is now known as fhubik15:12
*** sigmavirus24_awa is now known as sigmavirus2415:17
*** phalmos has joined #openstack-keystone15:18
*** ig0r_ has quit IRC15:21
*** pushkaru has joined #openstack-keystone15:21
*** csoukup_ has joined #openstack-keystone15:23
openstackgerritRon De Rose proposed openstack/keystone: Shadow users - Separate user identities  https://review.openstack.org/27857015:28
openstackgerritRon De Rose proposed openstack/keystone: Shadow users - Separate user identities  https://review.openstack.org/27857015:29
*** henrynash has joined #openstack-keystone15:30
*** ChanServ sets mode: +v henrynash15:30
openstackgerritRon De Rose proposed openstack/keystone: Shadow users - Separate user identities  https://review.openstack.org/27857015:31
*** petertr7 is now known as petertr7_away15:31
*** daemontool_ has joined #openstack-keystone15:32
*** jsavak has quit IRC15:32
*** daemontool has quit IRC15:34
*** woodster_ has quit IRC15:36
*** dave-mcc_ has quit IRC15:37
*** dave-mccowan has joined #openstack-keystone15:37
samueldmqayoung: nice, will look now15:38
*** jsavak has joined #openstack-keystone15:40
ayoungsamueldmq, that one is origianlly from last may.  It is one line and a bunch of tests.  I swear sometimes we are just abusive15:40
ayoungcorrection.  it is from last February.  Must have been one in a chain15:41
*** fawadkhaliq has quit IRC15:42
*** fawadkhaliq has joined #openstack-keystone15:43
*** edmondsw has joined #openstack-keystone15:43
*** mylu has joined #openstack-keystone15:44
samueldmqayoung: yes, sometimes we are too slow15:45
openstackgerritJorge Munoz proposed openstack/keystone: Fix trust chain/redelegation tests  https://review.openstack.org/27816315:45
openstackgerritJorge Munoz proposed openstack/keystone: Consolidate trust tests into a single class  https://review.openstack.org/27862815:45
*** knikolla has joined #openstack-keystone15:48
*** pnavarro has quit IRC15:48
*** roxanaghe has joined #openstack-keystone15:49
ayoungjorge_munoz, those two look good. Why is it that we can now drop the redelegated_trust_id from new_trust_ref?15:49
samueldmqayoung: what's in the top of that chain ?15:50
ayoungsamueldmq, that is a bunch of HMT stuff.  I think the end state is domain-is-a-project15:50
samueldmqayoung: I really hate the way dependencies are show in the new gerrit ui :/15:50
samueldmqshown*15:50
ayoungsamueldmq, yeah.15:51
ayoungsamueldmq, there is the "same topic" tab, though15:51
ayoungsamueldmq, hackathon at the next summit that pushes through the HMT changes.15:52
*** dobson has quit IRC15:52
ayoungsamueldmq, 2 GOALS:15:52
ayoung1.  Domain-is-a-project fully supported15:52
ayoung2. Strict naming so we can form names for nested proejcts like Dom1/p1/p2/p315:53
ayoungThose two things should have been there years ago.15:53
*** EmilienM has quit IRC15:53
samueldmqayoung: "reseller (phase 1): top level projects as domains" is targeted m-315:54
ayoungsamueldmq, excellent.  But is it going to happen?15:54
samueldmqayoung: I am looking at domain roles, project tree disabling/deletion, then reseller pahse 115:54
samueldmqayoung: I don't know, I will review15:54
ayoungsamueldmq, anything that needs my review throw at me, please15:54
*** phalmos has quit IRC15:55
samueldmqayoung: ++15:55
ayoungsamueldmq, I want HMT and dynamic policy.  Then I can quit the project in peace15:55
ayoung:)15:55
*** slberger has joined #openstack-keystone15:55
henrynashayoung, samueldmq: are we saying we are not putting in domains as a project in mitaka?15:56
ayounghenrynash, we are15:56
ayounghenrynash, I am being a pessimist15:56
ayoungI want them in yesterday15:57
ayounghenrynash, so what do we need to do to get them in ?15:57
henrynashayoung, samueldmq: I have worked a lot of on these patches over the last few weeks, and the first lot are good to go, imho15:57
henrynashayoung, samueldmq: we need a fix to cinders broken nester quotos for before the main one will pass…they aer fixing it15:58
ayounghenrynash, we were just griping over the webUI making it hard to tell where a chain starts.   WHich is the first of the first?15:58
henrynashayoung: it’s appaling15:58
henrynashlet me get that for you15:58
samueldmqyeah15:58
* ayoung wonders at the entemology of appalling...15:58
*** dan_nguyen has joined #openstack-keystone15:58
samueldmqhtruta: ayoung: henrynash: it's possible to use False instead of 0 here: https://review.openstack.org/#/c/158398/52/keystone/resource/controllers.py15:59
ayoungfrom Old French apalir ‘grow pale,’15:59
samueldmqare you okay if I update it ?15:59
henrynashayoung, samueldmq: https://review.openstack.org/#/c/264533/2415:59
henrynashthat’s the first one15:59
ayoungsamueldmq, leave the nits for now15:59
*** phalmos has joined #openstack-keystone15:59
ayoungjust revord them and we'll fix as bugs15:59
ayounghenrynash, is 89 good to go for a migration number?16:00
henrynashsamueldmq: so the explict check is for a string of ‘0’ in our filter matches16:00
samueldmqayoung: henrynash: +2+A it's working now16:00
samueldmqas it is16:00
ayoungOK16:00
samueldmqhenrynash: only 4 patches ?16:01
samueldmqhenrynash: for phase 1 ?16:01
samueldmqhenrynash: that's what I can see from 'related changes' in https://review.openstack.org/#/c/26453316:01
ayoungI love ther Null Object Pattern16:01
htrutasamueldmq: there is more... but after the "projects acting as domains" they're pretty simple16:01
ayounghttps://en.wikipedia.org/wiki/Null_Object_pattern  should be required reading16:01
henrynashsamueldmq: so there are 5 includeing the one that swicthes over to domains actually stored as projects16:02
htrutahenrynash: there is also the one that drops the domain table16:02
samueldmqhtruta: got it, btw do you have an etherpad with the list of patches and their organization,16:02
henrynashsamueldmq: there are then some clean up ones that I havement worked (whichi remove old code)16:02
samueldmq?16:02
henrynashsamueldmq: yes, including that16:02
htrutasamueldmq: not yet, I can create one16:02
samueldmqhtruta: would be helpful, and I guess quick for you to create one:)16:02
jorge_munozayoung: Because redelegated_trust_id is read-only attribute, it should not be passed in the ref.'16:03
ayoungjorge_munoz, how is it deduced then?16:04
henrynashsamuedlmq: I had held off on those inccase we were only doing “additive changes” to the database in mitaka…now we have dropped that idea (for m) I can lick those into shape too16:04
ayoungjorge_munoz, line number? please16:04
*** links has quit IRC16:04
samueldmqhenrynash: NULL_DOMAIN_ID = '<<keystone.domain.root>>'16:04
samueldmqhenrynash: same as you did ? for concurrency, etc ?16:04
ayounghenrynash, get the clean up ones posted WIP, please16:04
samueldmqhenrynash: I meant, same as you did for domain roles16:04
jorge_munozayoung: https://github.com/openstack/keystone/blob/master/keystone/trust/core.py#L14716:04
*** dobson has joined #openstack-keystone16:05
ayoungjorge_munoz, but in the test that is not available.  That is inside the controller16:05
ayoungbelow the controller I should say16:05
henrynashsamuedlmq: yes, with the added idea that we actual use this row as FK enforcement -16:05
ayounghow does the test say "create a new trust extending this old one" now?16:05
*** EmilienM has joined #openstack-keystone16:06
ayoungjorge_munoz, and, I apologize, as I was mot intimately involved in the trust redelegation work.  I wish I had been.16:06
ayoungSo thanks veryh much for tackling this16:06
htrutaayoung, samueldmq, henrynash: here you go https://etherpad.openstack.org/p/reseller-phase1-patches16:07
*** phalmos has quit IRC16:07
henrynashayoung thx16:07
*** phalmos has joined #openstack-keystone16:08
jorge_munozayoung: np, it should not be needed. When a new trust is created with a delegated auth, the redelegated id is retrieve from the trusted token.16:08
ayoungAh.16:09
ayoungjorge_munoz, did we make that a hard-and-fast requirment?  That you use a token from a trust in order to redelgate the trust only?16:09
samueldmqhtruta: thanks16:10
jorge_munozayoung: From my understanding, the only way one can redelegate a trust is with a trusted token.16:11
ayoungjorge_munoz, OK.  I like16:11
ayoungthat makes a lot of sense to me.  I can fully endorse this16:11
ayoungand it is a pattern to continue.16:11
*** woodster_ has joined #openstack-keystone16:11
*** mylu has quit IRC16:12
*** mylu has joined #openstack-keystone16:12
*** vgridnev has quit IRC16:15
*** mylu_ has joined #openstack-keystone16:17
*** mylu has quit IRC16:17
*** diazjf has joined #openstack-keystone16:18
ayounghenrynash, samueldmq Ok, that chain looks good up til the last one that is still failing tests etx16:18
henrynashayoung: I’ll post a new one soon for https://review.openstack.org/#/c/231289, althoug it will stil fial teh cinder tests16:19
ayounghenrynash, sounds good.  Where is the "strict naming" feature these days?16:20
henrynashayoung: all merges16:20
henrynashmerged16:20
ayoungawesome16:20
ayounghenrynash, now the real issue:  how do we get people to use that as the default16:20
*** diazjf1 has joined #openstack-keystone16:20
ayoungproject name is mutable, right?16:21
henrynashayoung: I say intoduce features they need that depend on it!16:21
*** browne has joined #openstack-keystone16:21
henrynashayoung: you mean, can you modify teh project name? yes16:21
ayounghenrynash, I'm still stuck on getting is_admin_project supported.  New installs are easy, but migrations...oy gewalt!16:21
henrynashayoung: understand16:21
*** vgridnev has joined #openstack-keystone16:22
*** diazjf has quit IRC16:22
*** vgridnev has quit IRC16:22
ayounghenrynash, so what do you think of this plan....16:22
ayoung1.  create a middleware piece that enforces policy, limited only to the roles16:23
* samueldmq will be back in a bit, lunch time16:23
ayoung2.  create policy rules that are based on URL, not the hidden  API name16:23
ayoung3.  Fetch that RBAC policy from Keystone dynamically16:23
ayoungI think that is the way forward16:24
ayoungleave the scope check where it is now, deep in the code, and guards the object out of the database16:24
*** mvk has quit IRC16:24
ayoungwe could even push it deeper in in some cases, right near the drivers.16:24
ayoungwe can leave the HTTP check as is.  And nothing says you can't do additional role checks there, too16:25
ayoungmaybe we indicate via an env var whether the object has passed the role check in the middleware16:25
ayoungand the middleware one has an explicit exception for the admin override?16:26
ayoungDoes that meet your concerns?16:26
* ayoung should not have numbered.16:26
henrynashayoung: sorry, was distracted…reading up16:26
openstackgerritRon De Rose proposed openstack/keystone: Shadow users - Shadow federated users  https://review.openstack.org/27916216:27
henrynashayoung: sorry, continued distractions at the moment, need tp unt on this conversation for a bit (since it needs serious thinking….)….16:29
ayounghenrynash, No problem.  I'm going to write that up as a spec and we can discuss there.16:29
henrynashayoung: that’s a good idea16:30
*** browne has quit IRC16:33
*** peter-hamilton has quit IRC16:34
*** mylu has joined #openstack-keystone16:36
*** mylu_ has quit IRC16:38
*** andrewbogott has quit IRC16:38
*** tpeoples has quit IRC16:38
*** comstud has quit IRC16:38
*** richm has quit IRC16:39
*** ayoung has quit IRC16:39
*** errr_ has quit IRC16:39
*** wasmum has joined #openstack-keystone16:40
*** jdennis has quit IRC16:41
*** jdennis has joined #openstack-keystone16:42
*** tpeoples has joined #openstack-keystone16:43
*** andrewbogott has joined #openstack-keystone16:44
*** comstud has joined #openstack-keystone16:44
samueldmqhenrynash: "Support an additional (more standard) inheritance rule" is targeted m-316:44
samueldmqhenrynash: but it appears as Slow progress; do we still want it in m3?16:44
*** browne has joined #openstack-keystone16:44
henrynashsamueldmq: I’m punting on that…and have abandoned it16:45
henrynashsameudlmq: thought I had marked it as so?16:45
*** phalmos_ has joined #openstack-keystone16:50
*** roxanaghe has quit IRC16:51
*** r-daneel has joined #openstack-keystone16:52
*** ayoung has joined #openstack-keystone16:52
*** ChanServ sets mode: +v ayoung16:52
samueldmqhenrynash: I will remove the target from it16:52
henrynashsamuedlmq: thx16:53
samueldmqhenrynash: done, np16:53
*** errr_ has joined #openstack-keystone16:53
*** phalmos has quit IRC16:54
*** rcernin has quit IRC16:56
*** nekrodesk has joined #openstack-keystone16:57
*** nekrodesk has quit IRC16:57
*** daemontool_ has quit IRC16:57
openstackgerritMerged openstack/keystone: Change get_project permission  https://review.openstack.org/27005716:58
openstackgerritMerged openstack/keystone: Fix nits from domain specific roles CRUD support  https://review.openstack.org/27902917:00
*** nekrodesk has joined #openstack-keystone17:00
*** nekrodesk has quit IRC17:00
*** gyee has joined #openstack-keystone17:05
*** ChanServ sets mode: +v gyee17:05
*** roxanaghe has joined #openstack-keystone17:06
*** pushkaru has quit IRC17:06
*** roxanaghe has quit IRC17:07
*** petertr7_away is now known as petertr717:07
*** rudolfvriend has quit IRC17:08
*** e0ne has quit IRC17:14
*** fhubik has quit IRC17:15
*** nekrodesk has joined #openstack-keystone17:15
*** nekrodesk has quit IRC17:15
*** lhcheng has joined #openstack-keystone17:16
*** ChanServ sets mode: +v lhcheng17:16
openstackgerrithenry-nash proposed openstack/keystone: Modify rules in the v3 policy sample for domain specifc roles  https://review.openstack.org/26207817:18
*** _cjones_ has joined #openstack-keystone17:19
henrynashayoung: see if you prefer this now https://review.openstack.org/#/c/262078/ (separate policy endpoints for global vs domain roles)17:19
*** nekrodesk has joined #openstack-keystone17:19
*** nekrodesk has quit IRC17:19
ayounghenrynash, you write like a bard17:20
ayoung"To ease complexity (and hence risk)"17:20
henrynashayoung: (or maybe a bird)17:20
ayoungpoetry17:20
ayounghenrynash, so...can you do multiple decorators on a function?17:21
ayounglike17:21
ayoung@controller.filterprotected('name', 'domain_id'17:21
ayoungbut above that17:21
ayoung@controller.default('domain_id',None)17:21
ayoungor something?17:22
henrynashin theory,  yes…17:22
ayoungyeah, you do that in line 37417:22
henrynash(we do that with protected and vaidation)17:22
ayoungcool.  That would be the pattern we would propagate in the future that you specify17:23
ayoungnice17:23
henrynashi kind of left17:23
henrynashit written out long hadn for now17:23
henrynashbut yes, we could encapsualte the idea17:23
ayounghenrynash, yep...I like this17:23
*** petertr7 is now known as petertr7_away17:23
ayoungI like this a lot17:23
*** pushkaru has joined #openstack-keystone17:24
ayounghenrynash, you write default logic like I do...coming from other languages. dstanek would probably have written:  self.method_name = method_name or '%s'17:25
henrynashayoung: oops, yeah, I always forget you can do that!17:25
dstanekayoung: ?17:25
ayounghenrynash, if there is another iteration.17:25
henrynashayoung: sure17:25
ayoungdstanek, here: https://review.openstack.org/#/c/262078/17/keystone/common/router.py17:25
ayoungdstanek, lines 29ish17:26
dstanekah, yeah. i probably would have gone with an 'or' unless there are real falsy values to consider17:27
ayoungdstanek, and it is a string.  So a falsy value would be bizarre17:27
ayounghenrynash, is method_name the right name there?17:28
*** ebalduf has joined #openstack-keystone17:28
dstanekayoung: ''17:28
henrynashayoung: open to offers17:28
ayoungtemplate?17:28
ayoungmethod_template?17:28
henrynashayoung: good name17:28
ayounghenrynash, I was just trying to think how to make it self documenting.17:29
dstanekthe_var_formerly_known_as_method_name17:29
ayoungOK./..I'll add those comments there.  Looking at the rest17:29
henrynashdstanek: exactly17:29
ayoungdstanek, NI!17:29
ayoungSorry, wrong referece17:29
ayoungthat would be17:29
ayoung the_var_that_until_recently_was_called_method_name17:30
*** nekrodesk has joined #openstack-keystone17:31
*** fawadkhaliq has quit IRC17:33
*** _cjones_ has quit IRC17:34
*** jsavak has quit IRC17:34
*** _cjones_ has joined #openstack-keystone17:36
openstackgerrithenry-nash proposed openstack/keystone: Modify implied roles to honor domain specific roles  https://review.openstack.org/26306417:42
*** jsavak has joined #openstack-keystone17:42
gyeestevemar, should be tag this one for backport? https://bugs.launchpad.net/keystone/+bug/153587817:45
openstackLaunchpad bug 1535878 in OpenStack Identity (keystone) "A user with a role on a project should be able to issue a GET /project call" [Medium,Fix released] - Assigned to Ajaya Agrawal (ajayaa)17:45
*** dmsimard has joined #openstack-keystone17:46
dmsimardayoung: o/17:46
ayoungdmsimard, thanks17:46
dmsimardhopefully I don't have to explain this many more times :(17:46
ayoungdmsimard, we don;'t have morgainfainberg or jamielennox (well he's asleep I assume) now but...17:47
ayoungdmsimard, I will17:47
ayoungcut and paste from our previouis17:47
dmsimardsure17:47
ayoungdolphm, need your advice on a bug from the tripleo team, coming to them from devstack17:47
ayoungor anyone else that understands the keystoneauth migration for that matter17:48
*** lhcheng has quit IRC17:48
ayounghttps://bugs.launchpad.net/puppet-nova/+bug/154248617:48
openstackLaunchpad bug 1542486 in OpenStack Compute (nova) "nova-compute stack traces with BadRequest: Specifying 'tenant_id' other than authenticated tenant in request requires admin privileges" [Undecided,Incomplete]17:48
*** lhcheng has joined #openstack-keystone17:49
*** ChanServ sets mode: +v lhcheng17:49
*** lhcheng has quit IRC17:49
*** lhcheng has joined #openstack-keystone17:49
*** ChanServ sets mode: +v lhcheng17:49
ayoungdmsimard, https://git.openstack.org/cgit/openstack/puppet-nova/commit/?id=d09868a59c451932d67c66101b725182d7066a14  that was the commit right>?17:49
ayoungdmsimard, and the issue is the line "Add /v3 for neutron_auth_url parameter. It's now required in Nova. "17:50
*** lhcheng has quit IRC17:50
ayoungAnd it should not be required in Nova which is why sdague is being a bit of a stickler here17:50
dmsimardyes, before this, puppet-nova would default to the "password" plugin and unversioned keystone url17:50
ayoungok...let me find the devstack commit and rationale17:50
*** Guest15678 is now known as mariusv17:51
*** mariusv has quit IRC17:51
*** mariusv has joined #openstack-keystone17:51
dmsimardthis broke overnight, we reached out to #openstack-nova for help and they pointed us to the config that worked for devstack and thus aligned our defaults with that17:51
openstackgerrithenry-nash proposed openstack/keystone: Modify rules for domain specific role assignments  https://review.openstack.org/26354917:51
ayoungGAH17:52
ayoungdmsimard, do you have that link?17:53
dmsimardayoung: for the discussion ?17:53
dmsimardlemme find it17:53
ayoungdmsimard, or just to the config for devstack17:53
dmsimardayoung: http://eavesdrop.openstack.org/irclogs/%23openstack-nova/%23openstack-nova.2016-02-05.log.html#t2016-02-05T21:06:3217:54
ayoungdmsimard, we have so many people coding to /v2.0 and we are not able to move beyond that.  For example, devstack just reverted the change that defaulted to v3 cuz it broke swift17:54
dmsimardI can try to see where devstack configures that, I'm not super familiar with it17:54
ayoungdims, that was your conversation17:54
*** knikolla has quit IRC17:54
* dims peeks17:55
ayoungdmsimard, so I know I would like it to look like17:55
ayoungauth_plugin = password17:55
ayoungauth_url = http://127.0.0.1:35357/17:55
dmsimardayoung: this looks fairly old https://github.com/openstack-dev/devstack/commit/394968fa3d6b0f3b296b49d038aac25b74c2dca717:55
ayoungand that should work.  The fact that it does not is what I am questioning17:55
dmsimardayoung: yes, what you just put is what we had before17:55
ayoungdmsimard, I though neutron had been updated, and worked with all that17:56
ayoung jamielennox committed on Aug 27, 201517:56
ayoungUm...17:56
dmsimardayoung: if you scroll a bit up in that eavesdrop, you can see I post logs to the failures and the config puppet was putting17:56
ayounghe wrote the negotiation code17:56
dmsimardlogs: http://logs.openstack.org/92/276492/6/check/gate-puppet-openstack-integration-scenario001-tempest-dsvm-centos7/78b9c32/logs/nova/nova-compute.txt.gz17:56
ayoungif he could have used it, he would have.17:56
ayoungHmmmm17:56
*** fawadkhaliq has joined #openstack-keystone17:56
dmsimardconfig: http://logs.openstack.org/92/276492/6/check/gate-puppet-openstack-integration-scenario001-tempest-dsvm-centos7/78b9c32/logs/etc/nova/nova.conf.txt.gz17:56
*** spandhe has joined #openstack-keystone17:57
ayoungdmsimard, the thing is, the /v3 should be unnecessary17:57
dmsimardin the config you see auth_plugin=password and unversioned auth_url17:57
dmsimardSo there's a bug, because it doesn't work :p17:58
ayoungyeah...I'm stumpted.17:58
dmsimardI can't provide more proof than the two logs link I gave you17:58
ayoungdmsimard, I am willing to punt on this.  THe whole "drop /v3 specific urls" was jamielennox 's burning platform.17:58
*** Guest19120 has quit IRC17:59
ayoungIt is really hard to figure out what is the state of things without him here.  Lets not waste any more cycles on it17:59
dmsimardDo what you gotta do, we have to use this because it works and it allows us to move forward - we can drop /v3 and go back to password when it's sorted out17:59
ayoungjust know that it will burn us somewhere down the road17:59
*** tsymanczyk has joined #openstack-keystone17:59
*** tsymanczyk is now known as Guest1434717:59
*** Guest14347 has quit IRC18:00
ayoungdmsimard, this falls into the bucket of things I would never have done that way in the first place.18:00
ayoung4 year on this project and it is still all legacy to me18:00
ayoungbut thanks for taking an interest18:00
dmsimardis there any other way, though ?18:00
ayoungdmsimard, yes, and I will explain at the summit but only in the presense of alcohol18:00
ayoungnot worth it now.18:00
dmsimardHah, drink one in my honor - I won't be able to go to Austin :)18:01
*** lhcheng has joined #openstack-keystone18:03
*** ChanServ sets mode: +v lhcheng18:03
ayoungDagnabit18:04
ayoungdmsimard, that is unfortunate18:04
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file  https://review.openstack.org/26947918:06
*** browne has quit IRC18:07
*** jsavak has quit IRC18:07
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file  https://review.openstack.org/26947918:07
*** jsavak has joined #openstack-keystone18:08
*** aginwala has joined #openstack-keystone18:14
*** tsymancz1k has joined #openstack-keystone18:14
*** e0ne has joined #openstack-keystone18:15
*** rcernin has joined #openstack-keystone18:17
*** lhcheng has quit IRC18:19
*** roxanaghe has joined #openstack-keystone18:31
ctraceyhey folks...question on keystoneclient if anyone has a few18:32
*** gordc has joined #openstack-keystone18:32
*** phalmos_ has quit IRC18:33
ctraceyhas any thought been given to allow alternate auth methods via something like stevedore plugins?18:33
*** petertr7_away is now known as petertr718:33
ctraceyright now password and token can be somewhat limiting18:33
*** mhickey has quit IRC18:34
*** su_zhang has quit IRC18:36
*** jlvillal has quit IRC18:38
*** drjones has joined #openstack-keystone18:39
*** _cjones_ has quit IRC18:39
*** jlvillal has joined #openstack-keystone18:39
ctraceyd'oh...maybe I spoke too soon18:39
ctraceyi see the entrypoints, but not sure where/if those are being utilized18:40
ctraceyi'll dig a bit further18:40
*** gordc has quit IRC18:41
*** browne has joined #openstack-keystone18:44
*** knikolla has joined #openstack-keystone18:46
*** tsymancz1k has quit IRC18:50
*** clenimar has left #openstack-keystone18:50
*** gyee has quit IRC18:53
*** daemontool has joined #openstack-keystone18:54
ayoungctracey, so...yes18:56
ayoungthe project you are looking for is keystoneauth18:56
ayoungkeystoneclient should be just for talking to the keystone server for keystone business like adding users18:56
ayounganything else should be via the openstack common CLI python-openstackclient18:57
ayoungand you can absotutley use auth plugins there.  What kind are you looking for?18:57
*** tsymanczyk has joined #openstack-keystone19:00
ctraceyheh - derp19:00
stevemarctracey: o/19:00
*** jsavak has quit IRC19:00
*** tsymanczyk is now known as Guest947519:00
ctraceyI am looking at keystoneclient and not openstackclient...muscle memory19:00
*** spandhe has quit IRC19:02
*** spandhe has joined #openstack-keystone19:02
*** jsavak has joined #openstack-keystone19:03
*** harlowja has joined #openstack-keystone19:04
ctraceyok - this is looking much more promising :)19:04
*** su_zhang has joined #openstack-keystone19:07
*** jsavak has quit IRC19:07
*** fawadkhaliq has quit IRC19:12
samueldmqhenrynash: stevemar: dstanek: I wonder if we could/should get ride of @controller.protectect in favor of direct calls for enforcement19:15
samueldmqhenrynash: that would make your new version of  "Modify rules in the v3 policy sample for domain specifc roles" muh simpler/easier to understand19:15
samueldmqprotected*19:16
openstackgerritBrant Knudson proposed openstack/keystone: Deprecate admin_token_auth  https://review.openstack.org/27544319:16
*** phalmos has joined #openstack-keystone19:16
samueldmqbknudson_: ayoung: you too ^ :)19:16
*** phalmos has quit IRC19:17
bknudson_I don't think it's going to make a major difference whether it's a decorator or a call. We can design a decorator that's easy to use or a function that's confusing to call.19:17
bknudson_functions are typically easier so might as well go that way19:18
samueldmqbknudson_: for domain roles specifically (https://review.openstack.org/#/c/262078/17/keystone/assignment/controllers.py)19:18
samueldmqbknudson_: it would be easier as a function, as domain roles have different policy entried than global roles19:19
samueldmqbknudson_: henrynash had to create different CRUD methods for domain roles just to hold the @protected annotation19:19
bknudson_no, he didn't. He could have changed the decorator.19:19
bknudson_e.g., @controller.protected(action='whatever')19:20
samueldmqbknudson_: but what does in action varies according to the parameters19:20
samueldmqgoes*19:21
samueldmqi.e need to check on the role entity first to decide what check need to be done19:21
bknudson_nobody's going to be able to understand it or use it anyways so what's the difference.19:21
*** nekrodesk has quit IRC19:22
samueldmqI think calling as a enforcement as a function would make it much clearer19:22
bknudson_I agree might as well just make a function that you can call rather than mess up the code with extra functions19:22
samueldmqin this case specficially, as we wouldn't need to create create_domain_role, update_domain_roles, etc methods just for the deorator19:23
bknudson_propose your alternative as a follow-on.19:23
*** jsavak has joined #openstack-keystone19:23
*** jsavak has quit IRC19:23
samueldmqwill do, but my point is to get enough feedbck before going ahead19:24
samueldmqI don't want to put effort if others don't agree with me19:24
samueldmqfrom the beginning19:24
*** jsavak has joined #openstack-keystone19:24
bknudson_ok, but you're asking us to put in effort19:24
samueldmqonly effort I am asking from you is to discuss with me19:25
samueldmqI may make the change19:25
*** boris-42 has joined #openstack-keystone19:26
edmondswjamielennox, what's you're take on https://bugs.launchpad.net/keystoneauth/+bug/154202419:27
openstackLaunchpad bug 1542024 in keystoneauth "keystoneauth1.access.service_catalog.ServiceCatalog is missing factory method" [Undecided,New]19:27
ayoungsamueldmq, leave the decorators.  We can always do an explicit call if needed. The decorator was  refactored from direct calls before19:30
ayoungwhat henry is hitting here is the need to do two different policy checks on the same API call based on the scope of the request, as this is the first time we have a resource that could be either globally scoped or scoped to a domain19:31
*** jbell8 has joined #openstack-keystone19:31
*** jsavak has quit IRC19:31
*** jsavak has joined #openstack-keystone19:32
samueldmqayoung: I am thinking about extracting the contents of @protected to a function called enforce19:33
samueldmqayoung: decorator calls enforce19:33
samueldmqayoung: this way we can either use the decorator or call the function directly where appropriated19:33
samueldmqayoung: but maybe that will become more confusing (lack of standard ?)19:34
ayoungsamueldmq, I think that is fine.  But we have the guts of that method already in common/controllers.py I think19:35
dmsimardoh, hey, ayoung.. stevemar might have an opinion on our issue :)19:35
*** jbell8 has quit IRC19:35
ayoungdmsimard, yep he very well might19:36
ayoungsamueldmq, I was origianlly going to pull that method in to common/authorize.py ZI think19:36
ayounghttp://git.openstack.org/cgit/openstack/keystone/tree/keystone/common/authorization.py19:37
*** jbell8 has joined #openstack-keystone19:37
*** phalmos has joined #openstack-keystone19:37
samueldmqayoung: could be a good idea; I think that's there just to ease imports ? as controllers already import controller.py to inherit from Controller19:37
samueldmqayoung: but I agree with your idea19:37
ayoungsamueldmq, so, you are pulling some stuff out of long term memory19:37
ayounghere is what I wanted to do19:37
dmsimardstevemar: please excuse my laziness but I've explained this a couple times already. We seem to be hitting issues in nova since the migration to keystoneauth1. We have worked around it for the time being but perhaps there is a real problem we need to address.19:38
ayoung1.  Get a good, cross project model for the data that is in the auth object19:38
ayoungthat was this commit:19:38
ayounghttps://review.openstack.org/#/c/184651/19:38
dmsimardstevemar: Any chance you could read the backlog ( http://eavesdrop.openstack.org/irclogs/%23openstack-keystone/%23openstack-keystone.2016-02-11.log.html#t2016-02-11T17:46:50 ) where I explained this and let us know what you think ?19:38
ayoungsamueldmq, I wanted that origianlly to be both inside and outside of Keystone...probably in keystoneauth is the right place19:38
ayoungbut jamielennox had a different, dictionary based approach, which is the auth context.19:39
ayoungsamueldmq, regardless, I want a policy enforcement call that is the same inside and outside keystone server19:40
ayoungso at a minimum, extracting the decorator off the controller would be a good step19:40
samueldmqayoung: I see; lots of things work around dictionaries instead of objects19:40
ayoungor the logic inside the decorator19:40
ayoungsamueldmq, yeah...it makes me sad19:40
samueldmqayoung: we don't instantiate a role entity when a request arrives :/19:41
ayoungsamueldmq, to be fair, his goal was to work with the JSON respomnse from keystone without copying19:41
ayoungsamueldmq, I am a believer in a strongly typed domain model.  Not a  Stringly typed.19:41
samueldmqayoung: I like working with objects19:42
samueldmqayoung: I was surprised we didn't worked with objects for entities (vs dics) when I started working in keystone19:42
*** mylu has quit IRC19:42
samueldmqayoung: is it the same on other porjects you"ve seen (in openstack) ?19:42
ayoungsamueldmq, blame termie.  The original Keystone was in Java.  The java guys ported to Python, but it looked like Java.  Termie ported to maintainable python, but with a focus on key-value-pair datastores, and everything was a dictionary19:43
samueldmqayoung: so that way, jsonschema validation would happen, let's say, when __init__ from Role entity is called19:43
ayoungTo be fair, he was under time constraints, but I think he wanted it that way19:43
*** mylu has joined #openstack-keystone19:44
samueldmqayoung: anyways we could do the change if we want to19:44
ayoungsamueldmq, I want a strong domain model, and the token construction to be composed of adding those objects to a token-Work-in-progress, and then final step converted to JSON or other marshalling form19:44
samueldmqayoung: and shouldn't be terrible to do it19:44
ayoungsamueldmq, it involves getting consensus from the rest of the Keysteon core devs, which I was not able to do19:45
samueldmqayoung: yes, token is composed of other entities, and to_dict may be used to convert to json19:45
ayoungjamielennox, in general was opposed19:45
ayoungconsensus is hard19:45
samueldmqopposed in server or client or both ?19:45
samueldmqwe actually have a models.py, but don't use it as models for instantiating model entities19:46
*** nekrodesk has joined #openstack-keystone19:46
*** nekrodesk has quit IRC19:46
ayoungsamueldmq, so, I would be satisfied with getting it right in Keystone, but more important to me is having a common policy enforcement framework both inside and outside keystone19:47
ayoungand if the outside form is dictionary based, the inside one should be as well19:47
stevemardmsimard: i'll add it to my list19:48
dmsimardis that a bad thing? :p19:48
ayoungsamueldmq, Ideally, I would be able to hit keystone with just a username, credential, and a project, and keystone would build up a token model and check policy on that, without having to parse an actual token.  But that is sort of where Fernet is headed.19:48
stevemardmsimard: the list grows indefinitely19:49
samueldmqayoung: how is policy enforcement framework different than oslo.policy?19:49
ayoungsamueldmq, I think it would all be easier if we were working with a strong domain model, but, meh.  Working code and 6 month release cycles and consensus19:49
ayoungsamueldmq, this is the Keystone auth specific enforcemebnt:  knows about roles and the other keystone specific objects19:49
ayoungso it would call oslo policy,19:49
ayoungoslo remains agnostic19:49
dmsimardstevemar: expected so, thanks ;)19:50
ayoungin fact, even the role: check should come out of oslo policy, as that is the only thing that is keystone specific in there19:50
ayoungdmsimard, if you can stay up late enough, the right person to bug is jamielennox .  But its the middle of his night in Australia right now19:50
*** jbell8 has quit IRC19:51
dmsimardayoung: can you follow up with him ? I don't really have the knowledge required to dig into this, it's a bit too low level for me :)19:51
ayoungdmsimard, will do19:52
dmsimardhopefully our conversation earlier gave you more info19:52
*** nekrodesk has joined #openstack-keystone19:52
ayoungdmsimard, I'll see if we can get a better approach.  But for now, go with the /v3 URL and we can fix this in postproduction19:52
dmsimardk19:52
ayoungdmsimard, in the meantime, please +2 Apache HTTPD and get it moving: https://review.openstack.org/#/c/213175/19:53
ayoungdmsimard, It will help avoid use debugging eventlet problems in the future, and provide a fix to the peopel that are seeing them now19:54
dmsimardayoung: your assumption that I am a core in tripleo is wrong, I am a lowly newbie :P19:54
ayoungAh19:54
* ayoung needs to find others to bug19:54
*** aginwala has quit IRC19:56
*** roxanaghe has quit IRC19:57
*** mylu has quit IRC19:59
*** fawadkhaliq has joined #openstack-keystone20:02
samueldmqstevemar: I will post an update to 275443 so we can merge it20:04
*** aginwala has joined #openstack-keystone20:04
openstackgerritwerner mendizabal proposed openstack/keystone: Time-based One-time Password  https://review.openstack.org/27490120:06
*** ayoung has quit IRC20:06
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Deprecate admin_token_auth  https://review.openstack.org/27544320:07
*** vgridnev has joined #openstack-keystone20:07
samueldmqstevemar: ^20:07
stevemarthanks samueldmq20:08
stevemar:)20:08
*** dmsimard has left #openstack-keystone20:08
samueldmqstevemar: np :)20:08
raildotjcocozz: are you around?20:08
raildotjcocozz: it's about https://review.openstack.org/#/c/243585/12/keystone/resource/controllers.py20:09
*** jasonsb has quit IRC20:09
samueldmqstevemar: +2'ed too, didn't +1 for now in the case bknudson_ wants to vote there too20:10
openstackgerritwerner mendizabal proposed openstack/keystone: Time-based One-time Password  https://review.openstack.org/27490120:10
samueldmq(I saw your comment there and he's been participating of that change a lot)20:10
samueldmqdidn't +A *20:11
samueldmqhenrynash: do you agree with my comment on 262078 ?20:15
knikollaHi all! Quick question about keystone to keystone federation. A nonadmin user cant do identity:list_service_providers as per policy, but i'm able to get the service_providers from the service catalog doing ksclient2.service_catalog.catalog[u'service_providers']. Is this supposed to be the case?20:18
knikollawhere ksclient2 is the client v3 from keystoneclient20:18
*** su_zhang has quit IRC20:19
rodrigodsstevemar, ping... do you have, by any chance, an example of federation done via openstackclient?20:20
*** ayoung has joined #openstack-keystone20:22
*** ChanServ sets mode: +v ayoung20:22
stevemarrodrigods: not readily available :[20:23
rodrigods:( ok, will make one here than20:23
knikollarodrigods: i have already setup k2k as per your blog post and it's working. I'm just investigating better ways to code it using the keystoneclient functions.20:24
*** rcernin has quit IRC20:24
rodrigodsknikolla, awesome, you may use openstackclient as well20:24
rodrigodsit has a lot of federation stuff on it already20:24
knikollaits a cli though, i'm investigating python libraries. i saw that the keystone client has a federation.service_providers.list() function which requires admin privilege as per the identity:list_service_providers policy. However I saw that I can get the service provider list in the service catalog without admin privilege.20:26
knikolladoing v3client.service_catalog.catalog[u'service_providers']20:26
raildodolphm: ping, I answered your question here: https://review.openstack.org/#/c/258650/22/keystone/tests/unit/test_v3_assignment.py maybe you have any idea to help me to solve this problem...20:27
rodrigodsknikolla, hmm that depends on what is returned in both calls20:27
rodrigodsif they return the same information so we may open the service provider listing rule to non-admin users20:27
rodrigodsat least, makes sense to me20:28
*** ebalduf has quit IRC20:28
knikollaclient.federation.service_providers returns a ServiceProviderManager (or something like that) which has get/list/create methods.20:28
dolphmraildo: it looks like the wrong user is being used to execute the tests20:28
knikollaclient.service_vatalog.catalog[u'service_providers'] returns a simple list20:28
*** ebalduf has joined #openstack-keystone20:29
rodrigodsknikolla, I mean, what is sensitive there are the service provider attributes (sp_url, sp_auth_url and so on)20:29
knikollalet me check20:29
rodrigodsif you can access them in the service_catalog list (which I think you can iirc), I think you can create a bug to change the service provider listing rule20:30
*** fawadkhaliq has quit IRC20:30
knikollarodrigods, heres a pastebin with the comparison http://pastebin.com/raw/S5q75xhv20:33
*** Guest9475 has quit IRC20:34
rodrigodsknikolla, pretty the same, i'd create a bug to change the default behavior in the policy20:35
jamielennoxedmondsw: i commented on https://bugs.launchpad.net/keystoneauth/+bug/1542024 - i would be ok with adding a create() to the service catalog, but what you're doing is fine20:37
openstackLaunchpad bug 1542024 in keystoneauth "keystoneauth1.access.service_catalog.ServiceCatalog is missing factory method" [Undecided,New]20:37
knikollarodrigods, thanks. I'll do that.20:37
*** ebalduf has quit IRC20:39
*** phalmos has quit IRC20:39
*** aginwala has quit IRC20:40
*** aginwala has joined #openstack-keystone20:40
*** ebalduf has joined #openstack-keystone20:40
jamielennoxknikolla: we're open to anything you come up with for how to make k2k easy on the client side20:42
openstackgerritRaildo Mascena proposed openstack/keystone: [WIP]Make fernet default token provider  https://review.openstack.org/25865020:43
knikollajamielennox that's great to hear!20:43
jamielennoxknikolla: i've investigated it once or twice - this is an example of the script i was writing: http://paste.openstack.org/show/486755/20:44
jamielennoxi *think* at the time the list_service_providers wasn't ready20:44
openstackgerritRon De Rose proposed openstack/keystone: Shadow users - Separate user identities  https://review.openstack.org/27857020:44
jamielennoxone thing i know we're missing is how to expose all the options via the CLI because you have multiple project_name parameters, but so far no one has a burning need for it20:46
knikollaI'll have a look at the Keystone2Keystone class20:48
ayoungjamielennox, unfortunatley , you and dmsimard seem to be working opposite sides of the clock.  He was here asking about the issues with puppet and /v3.  Am I correct in maintaining that we should be using Discovery and versionless URL everywhere?20:49
knikollaright now my code is a bit ugly as it messes with api calls and json (like in rodrigods blog post)20:49
ayoungknikolla, are you on a puppet managed system?20:49
rodrigodsyou're calling my code ugly! hehe20:49
*** spzala has quit IRC20:49
*** su_zhang has joined #openstack-keystone20:50
openstackgerritRon De Rose proposed openstack/keystone: Shadow users - Shadow federated users  https://review.openstack.org/27916220:50
knikollahahaha nooo. I just think that should be handled in the background by a client library instead of be done by hand.20:50
jamielennoxayoung: i replied to your quick email, the devstack thing i think is just a quirk of the order things were done and by who. I would use discovery and versionless but from a puppet perspective i'd really just like them to take a blob so if we can get client certs working we don't need to retool it all20:50
ayoungknikolla, there was the start of a puppet module to setup K2K.  I was actually just looking at that20:50
knikollaayound: nope, i'm using two devstacks20:50
knikollaayoung20:50
knikollaand some automation scripts to setup k2k20:51
ayoungknikolla, ah.  Devstack.  Joy.20:51
rodrigodsknikolla, yeah... the K2K class was my code too (did the blog post before it was coded)20:51
rodrigodsbut as jamielennox said, we are missing it in the CLI20:51
ayoungjamielennox, yeah, I just read that.20:51
jamielennoxayoung: it's one of those things that doesn't really matter, but we forget that puppet and OSA copy defaults from devstack20:52
jamielennoxso we should do the right thing there20:52
*** daemontool_ has joined #openstack-keystone20:52
knikollaI'll certainly have a look at it. We're hacking nova to attach a cinder volume from another devstack. It works, bu the code could use some polish though.20:52
ayoungjamielennox, Tripleo just merged HTTPD Keystone20:53
jamielennoxayoung: nice!20:53
ayoungI think that is the last vestige of Eventlet Keystone in our main projects20:53
jamielennoxayoung: i've started messing with ursula and they don't do it :(20:53
openstackgerritHenrique Truta proposed openstack/keystone: Projects acting as domains  https://review.openstack.org/23128920:53
*** e0ne has quit IRC20:53
ayoungjamielennox, there are enough Big Blue Keystoners  that you should be able to change that20:54
ayoungtopol, make Jamie's life easy and get the Ursula folks to wise up and run Keystone HTTPD!20:54
openstackgerritRon De Rose proposed openstack/keystone: Shadow users - Shadow federated users  https://review.openstack.org/27916220:55
jamielennoxayoung: yes, well, this is bluebox20:55
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Extract enforcement logic to its own method  https://review.openstack.org/27926320:55
jamielennoxand this is the argument jesse was making at the summit about running keystone and horizon in seperate virtualenvs on the same box20:55
jamielennoxso, hopefully soon20:55
*** daemontool has quit IRC20:55
samueldmqayoung: bknudson_ ^ just submited the change, the new method could be used in henrynash's patch20:56
*** su_zhang has quit IRC20:56
samueldmqayoung: and actually that new enforce method is what could be extracted to the new file (authorize.py or whatever)20:56
ayoungsamueldmq, looking20:56
openstackgerritRon De Rose proposed openstack/keystone: Shadow users - Separate user identities  https://review.openstack.org/27857020:58
ayoungsamueldmq, ah...so you ahve a "self" parameter there20:59
ayoungthat was the sticking point before.  I would like it to be non-controller specific20:59
samueldmqayoung: needed for the callback function20:59
ayoungbut I don't know if we can do that for the ones that need to fetch from the DB first21:00
*** lhcheng has joined #openstack-keystone21:00
*** ChanServ sets mode: +v lhcheng21:00
ayoungsamueldmq, that was why I never tangled with this.21:00
openstackgerritRon De Rose proposed openstack/keystone: Shadow users - Shadow federated users  https://review.openstack.org/27916221:01
ayoungsamueldmq, but, maybe this is OK.  If it is a function that we can add to a controller, but is not specific to our tree, we can get the general purpose method I was hoping for21:01
samueldmqayoung: so you okay with sticking with the self for now ?21:01
samueldmqayoung: and put that in a separate file21:01
*** richm has joined #openstack-keystone21:01
ayoungyeah, put it in authorize.py21:02
ayoungif that works, it is a step in the right direction21:02
*** aginwala has quit IRC21:02
topolayoung, jamielennox I believe we are working on that.  jamielennox connect will paul czarkowski21:02
ayoungtopol, we just got it to merge for Tripleo, which is why I bring it up21:03
samueldmqayoung: we already have a authorization.py there21:03
*** aginwala has joined #openstack-keystone21:03
ayoungtopol, really want Eventlet Keystone to be a painful memory only21:03
ayoungsamueldmq, right, so you can move this function into that file21:03
*** jsavak has quit IRC21:03
ayoungthat file is supposed to be the non-controller specific authorization/policy check logic21:04
*** tsymanczyk has joined #openstack-keystone21:04
topolayoung, but its the only deployment I understand. Thats whats keeping it alive..21:04
jamielennoxayoung, topol: i agree thought there is a probem with mod_wsgi and multiple venvs and i don't know a way to solve it21:04
topolayoung, just kidding. we are working on that21:04
jamielennoxother than docker, docker, docker21:04
*** tsymanczyk is now known as Guest4758321:04
*** jsavak has joined #openstack-keystone21:04
ayoungjamielennox, funny you should say that:21:04
jamielennoxit's just moving your problem21:04
ayounghttp://adam.younglogic.com/2016/02/holla-kolla/ jamielennox21:04
topoljamielennox we should have a 1-1 sometime and compare notes on this21:05
*** jsavak has quit IRC21:06
ayoungtopol, so, venv is a poor man's container system.  Dawkah is the futchah!21:06
topolayoung, gotta run. one of your fellow bostonians is in town and Im taking him to dinner21:06
*** jsavak has joined #openstack-keystone21:06
topolayoung, agreed21:06
jamielennoxtopol: sure, i haven't gotten far other than it's something we'll need to fix and why it hasn't happened already21:07
*** mhickey has joined #openstack-keystone21:07
topoljamielennox catch me up some time on the issues.  Also we should discuss docker/venv21:07
jamielennoxayoung: so i have an annoyance with kolla that is probably unjustified seeing as how i looked at it for about 10 minutes21:07
topolgotta run21:08
ayoungjamielennox, Heh, I spent the day in the chat room with those guys.  I assure you there are issues21:08
jamielennoxayoung: i love the idea, the jinja2 formatting of the docker templates for multiple backends is super impressive21:08
jamielennoxthough i'm sure it's going to have problems21:08
jamielennoxayoung: but why did they build the kolla ansible stuff into the same project?21:09
*** raildo is now known as raildo-afk21:09
ayoungjamielennox, you mean both docker and ansible in the same one?21:09
jamielennoxright, i want the docker scripts21:09
*** su_zhang has joined #openstack-keystone21:09
jamielennoxthere is almost no chance i can use the ansible stuff21:09
jamielennoxi think they would have a way better time at adoption if they split those interests21:10
ayoungDo you have to use the ansible stuff?21:10
jamielennoxthis is why i said its probably unjustified given my 10 minute view21:10
jamielennoxbut from the howto/readme etc it's all about the ansible21:10
ayoungjamielennox, I think that Kolla and Docker in multiple containers needs orchestration no matter what.  From what I understand of Docker orchestation, most of it assumes a single host.  Ansible allows you to, potentially split it across multiple, so they weould b kindof limited if they did not21:11
jamielennoxany scenario i can see using this from involves building containers from CI and plugging it into something else21:11
*** aginwala has quit IRC21:11
ayoungjamielennox, right now I am just thinking Devstack replacement, and then Tripleo.21:12
jamielennoxanyway, i'm sure you could use the dockerfiles without the ansible stuff, but if they are looking for tips i think they should seperate those two concerns21:12
ayoungjamielennox, might be able to split into two repos, al-la Keystone and client did21:12
ayoungwe can talk with them about it in Austin21:13
jamielennoxfor the same reason i think OSA should split the roles out from the deployment system - something they are doing now21:13
ayoungjamielennox, need to get these two teams in the same room and hash out the lines of responsibility,21:14
jamielennoxayoung: those two aren't going to overlap in any meaningful way i think21:14
jamielennoxayoung: unfortunately i heard a limitation of kolla is that it can't use kubernetes for some reason, that's a huge shame21:15
ayoungjamielennox, I'd take your word on it.  I have not been involved with OSA at all, and Kolla only nominally.  But I would think an ansible install effort should be container based21:15
ayoungI need to have a lot more laid about before I could really get my head around what it should look like.21:16
*** aginwala has joined #openstack-keystone21:16
*** dan_nguyen has quit IRC21:18
*** spzala has joined #openstack-keystone21:19
*** spzala has quit IRC21:19
*** nekrodesk has quit IRC21:19
jamielennoxayoung: so OSA is doing lxc containers via ansible, i think a CI driven deployment (the ideal) might need to be container based21:20
*** pauloewerton has quit IRC21:24
*** pushkaru has quit IRC21:27
*** pushkaru has joined #openstack-keystone21:28
*** jorge_munoz has quit IRC21:29
openstackgerritRon De Rose proposed openstack/keystone: Shadow users - Separate user identities  https://review.openstack.org/27857021:37
*** jbell8 has joined #openstack-keystone21:38
openstackgerritRon De Rose proposed openstack/keystone: Shadow users - Shadow federated users  https://review.openstack.org/27916221:39
*** mylu has joined #openstack-keystone21:39
*** jsavak has quit IRC21:41
*** mylu has quit IRC21:42
*** richm has quit IRC21:42
*** dan_nguyen has joined #openstack-keystone21:43
*** jbell8 has quit IRC21:44
*** jbell8 has joined #openstack-keystone21:45
*** jsavak has joined #openstack-keystone21:48
*** jsavak has quit IRC21:48
*** jsavak has joined #openstack-keystone21:49
*** jbell8 has quit IRC21:49
*** ninag has quit IRC21:51
*** ayoung has quit IRC21:52
*** aginwala has quit IRC21:54
*** daemontool_ has quit IRC21:56
*** aginwala has joined #openstack-keystone21:57
*** pgbridge has quit IRC21:58
*** nekrodesk has joined #openstack-keystone22:00
*** nekrodesk has quit IRC22:00
*** ayoung has joined #openstack-keystone22:00
*** ChanServ sets mode: +v ayoung22:00
*** chlong has quit IRC22:03
*** ebalduf has quit IRC22:03
*** pgbridge has joined #openstack-keystone22:04
*** nekrodesk has joined #openstack-keystone22:08
*** aginwala_ has joined #openstack-keystone22:10
*** aginwala has quit IRC22:10
*** clenimar has joined #openstack-keystone22:11
*** petertr7 is now known as petertr7_away22:18
*** knikolla has quit IRC22:19
*** vgridnev has quit IRC22:19
*** dims has quit IRC22:23
*** dims has joined #openstack-keystone22:26
openstackgerritBrant Knudson proposed openstack/keystone: AuthContextMiddleware admin token handling  https://review.openstack.org/19893122:30
*** daemontool has joined #openstack-keystone22:34
*** sshen has joined #openstack-keystone22:35
*** ayoung has quit IRC22:37
*** ebalduf has joined #openstack-keystone22:43
*** mylu has joined #openstack-keystone22:45
openstackgerritBrant Knudson proposed openstack/keystone: Switch to configless bandit  https://review.openstack.org/27813622:46
*** henrynash has quit IRC22:48
*** clenimar has quit IRC22:50
*** ebalduf has quit IRC22:50
*** ninag has joined #openstack-keystone22:51
dolphmlbragstad dstanek and myself just finished open sourcing our custom plugins for deploying keystone into our public cloud :D win https://github.com/rackerlabs/capstone22:51
dolphmstevemar: ^22:52
*** jsavak has quit IRC22:52
*** aginwala_ has quit IRC22:56
*** ninag has quit IRC22:56
*** aginwala has joined #openstack-keystone22:56
*** sigmavirus24 is now known as sigmavirus24_awa22:58
openstackgerritMerged openstack/keystone: Stop using nose as a Python3 test runner  https://review.openstack.org/27805423:03
*** gildub has joined #openstack-keystone23:03
bknudson_dolphm: whoever drew those diagrams is sloppy.23:04
bknudson_dolphm: you're going to convert the catalog from v2 to v3?23:06
bknudson_https://github.com/rackerlabs/capstone/blob/master/capstone/token_provider.py#L8423:07
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file  https://review.openstack.org/26947923:11
*** ninag has joined #openstack-keystone23:16
*** ninag has quit IRC23:16
*** slberger has left #openstack-keystone23:18
stevemardolphm: i was thinking there'd be much more :P23:20
*** mhickey has quit IRC23:24
ekarlsodolphm: u proxy to v2 ?23:25
*** ayoung has joined #openstack-keystone23:25
*** ChanServ sets mode: +v ayoung23:25
dstanekekarlso: we will :-)23:26
dstanekstevemar: eventually there will be23:27
*** pushkaru has quit IRC23:27
*** dan_nguyen has quit IRC23:28
*** chlong has joined #openstack-keystone23:30
dstaneklbragstad: iterating fast23:31
dstaneklbragstad: got time to test?23:31
ekarlsodstanek: evil evil evil :p23:34
ekarlsodstanek: why not use v3 ? :p23:34
dstanekekarlso: evil or clever?23:35
ekarlsodstanek: hehe, I dunno I just consume keystone :p23:35
dstanekekarlso: needs to use the data stored in the other system for now23:35
*** csoukup_ has quit IRC23:42
*** nekrodesk has quit IRC23:47
*** ayoung has quit IRC23:50
*** mylu has quit IRC23:52
*** mylu has joined #openstack-keystone23:53
*** csoukup_ has joined #openstack-keystone23:53
*** shoutm has joined #openstack-keystone23:57
« Wednesday, 2016-02-10 Index Friday, 2016-02-12 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!